1. Field of the Invention
The present invention relates to a communication system that performs access authentication to a network, a relaying apparatus that relays communication related to access authentication, an authentication apparatus that performs access authentication, and a communication method.
2. Description of the Related Art
A network access authentication protocol has been heretofore used as a protocol for allowing network access only to a terminal authenticated for a certain network system.
For example, in “Protocol for carrying Authentication for Network Access (PANA)”, [online], retrieved from the Internet: <URL:http://www.ietf.org/html.charters/PANA-charter.html>, a network access authentication protocol referred to as Protocol for Carrying Authentication for Network Access (PANA) has been proposed. The PANA is a network access authentication protocol being standardized by the Internet Engineering Task Force (IETF), which operates on a User Datagram Protocol (UDP). In the PANA, various approval policies can be set after authentication. For example, it can be set as the approval policy to perform filter setting to a plurality of routers with respect to an IP address of a target terminal device.
Further, a network access authentication protocol referred to as the Institute of Electrical and Electronic Engineers (IEEE) 802.1X has been widely known as well. The IEEE 802.1X protocol is a network access authentication protocol standardized by the IEEE, which operates on a local area network (LAN). According to the IEEE 802.1X protocol, only opening/closing of an LAN port with respect to a device address of the target terminal device can be set as the approval policy.
Thus, while there is a plurality of types of the network access authentication protocol, there is no compatibility with each other. However, there can be a case that different network access authentication protocols need to be connected with each other and operated.
For example, there can be cases such that (1) network systems using different network access authentication protocols are integrated into one system, (2) the network access authentication protocol is shifted to change the network access approval policy, and (3) a terminal applicable only to a network access authentication protocol having a simple approval policy is connected to a network system adopting the network access authentication protocol adopting a more complicated approval policy.
To realize unified network access authentication by integrating a plurality of network access authentication protocols, generally, one network access authentication protocol is adopted, and all components constituting the network system need to correspond to the adopted one network access authentication protocol.
Further, when the network access authentication protocols are integrated in this manner, there are requirements such that (1) any change is not required for a terminal connected to the network system, (2) the integrated network access authentication protocols can be authenticated uniformly by using one authentication server and one authentication database, even in the case of correspondence to a plurality of network access authentication protocols, and (3) there is little modification of the network system itself.
However, it is difficult to have all the components constituting the network system corresponded to the same network access authentication protocol. For example, the components required for the network system and the adoptable approval policies are different for each network access authentication protocol. Therefore, when the network access authentication protocols are integrated into another protocol, the components may be insufficient, or the approval policy may not be realized.
As one method of integrating the networks, a method in which a terminal function of one protocol (for example, PANA) and a switching equipment having a relay function of the other protocol (for example, IEEE 802.1X) are installed between the terminal device and the network system can be considered.
However, according to this method, although approval of the network access becomes possible by the IEEE 802.1X  protocol via the switching equipment, the approval policy of the PANA cannot be applied to the terminal corresponding only to the IEEE 802.1X protocol, because a difference of the approval policies is not taken into consideration. That is, the approval policy cannot be realized, thereby causing a problem in that an access to the network system from the terminal device is restricted.